Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
On 6 December 2022, the ICO announced that, whereas previously it had published enforcement notices, fines and summaries of its audit reports, “now we will publish all reprimands going forward, including reprimands issued from January 2022 onwards, unless there is a good reason not to, such as matters of national security or that it is likely to jeopardise any ongoing investigation”.
This is part of the ICO’s ICO25 strategy, it says, to reduce the impact of fines on the public by working more closely with the public sector to raise data protection standards, to encourage compliance with data protection law and to prevent breaches.
Examples published include a reprimand to North Yorkshire Police in November 2022 where a date was incorrectly inputted onto an application to acquire communications data/IP address resolution for a single IP address, which resulted in a wrongful arrest for the serious offence of making indecent images of children. The ICO found breaches of the fourth data protection principle (accuracy) – s38(1)(a) and (b), (4), and (5)(a) and (b) of Part 3, Law Enforcement Processing, Chapter 2 of the DPA 2018. The published reprimand makes clear that both the facts relating to the infringement and the remedial action taken by the Police contributed to the decision: police forces, other public authorities and private bodies are likely to find both aspects useful learning.
Also in November 2022, the ICO issued a reprimand to the Department of Education, instead of a £10m fine (enforcement action which it had considered “effective, proportionate and dissuasive” and which was likely to have been issued were it not for the Commissioner’s revised approach to the public sector (see here)), for failing to protect a Learning Records Service database which contained personal and sensitive data relating to children. The ICO determined that there had been breaches of the GDPR, Article 5(1)(a) ‘lawfulness, fairness and transparency’, and 5(1)(f) ‘integrity and confidentiality’.
Whilst the published list of reprimands relates predominantly to public bodies, it does also include ongoing cases against private companies such as Virgin Media Ltd (September 2022) where the ICO was not satisfied that it had processed Subject Access Requests without delay and in accordance with Articles 12(3) and 15(1) and (3) of the UK GDPR; and against Grindr LLC (July 2022) where the ICO was concerned that its processing of personal and special category data of its UK user-base and transparency of privacy information were not in accordance with Article 5(1)(a) of the UK GDPR which requires data to be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’.
Both the public and private sectors are likely to benefit not only from extracting learning from published reprimands, but also from gaining material for bolstering arguments that a reprimand rather than a fine might be appropriate in certain cases.
Further reading (published reprimands): click here
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.